Re: Audisp-remote - connection refused.

[Steve Grubb <sgrubb@redhat.com>]

On Wednesday, October 4, 2017 12:02:06 PM EDT Rituraj Buddhisagar wrote:
> HI Steve,
> 
> I did the necessary,
> Change in auditd.conf - log_format to ENRICHED.
> write_logs set to "no" on client and "yes" on aggregating server.
> name_format was already set in auditd.conf and not in audispd.conf on both
> the servers.
> 
> I still do not see any logs coming in /var/log/audit/audit.log on
> aggregating server.

You can run auditd -f on both systems to see on screen what is happening. Then 
on the remote, auditctl -m test. You should see it on the remote screen 
followed by the server screen. If you do, then something is wrong with your 
config file paths.

If you don't see events, I think you have some troubleshooting of your own to 
do. I can't see your system so you'll have to figure it out. I also updated 
the INSTALL file in github to better reflect how to build and install it from 
scratch.

> Any debugging tools to see the queue of audisp-remote? The spool file
> /var/spool/audit/remote.log is not having entries populated (btw I had to
> create it manually).

It only uses a spool file if the mode is forward. Immediate mode does not use 
it.

> On Wed, Oct 4, 2017 at 8:49 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Wednesday, October 4, 2017 10:01:49 AM EDT Rituraj Buddhisagar wrote:
> > > Hi Steve / List
> > > 
> > > Now, I have built auditd from source as per the mail thread and then
> > > also
> > > created a startup script.
> > > 
> > > The auditd is starting successfully.
> > > 
> > > The client is able to connect to the aggregating server.
> > > 
> > > 
> > > *node=guslogs type=DAEMON_ACCEPT msg=audit(1507125123.240:7272):
> > > addr=192.168.103.2 port=60 res=success*
> > > 
> > > 
> > > I have made the necessary change in the server in /etc/audit/auditd.conf
> > > 
> > > *log_format = NOLOG*
> > 
> > This is a deprecated option tells it to not write anything to disk.
> > 
> > > I do not see any logs being populated - I checked log file on client,
> > > the
> > > server - also the /var/spool/audit/remote.log on the client.
> > > On the server side /var/spool/audit/remote.log is empty (I am not sure
> > > if
> > > this is something I should be checking at all)
> > > 
> > > I am clueless as to what is happening. Is there some way to debug this?
> > 
> > Did you modify auditd.conf to have the format be nolog? If so, its an
> > explained condition. Nolog means no logging to disk.
> > 
> > > Where are these logs getting lost?
> > > When change the log_format back to RAW I do see the logs getting created
> > 
> > on
> > 
> > > the client.
> > 
> > For remote logging, you should set the format to enriched. This resolves
> > things locally so that the aggregating server can make sense of it later.
> > If
> > you do not want events written to disk on the remote system, set
> > write_logs =
> > no. You should also set name_format = hostname (or something else) in
> > auditd.conf of the remote systems. This is so you can tell who is creating
> > the
> > events in the aggregating server.
> > 
> > On the aggregating server, also set the format to enriched. But there you
> > have
> > to have write_logs = yes. Also set name_format = hostname in auditd.conf
> > of
> > the server.
> > 
> > I would not recommend setting the name in audispd.conf for any system.
> > 
> > -Steve
> > 
> > > I did my best reading on net and debugging this - but no success. Please
> > > help.
> > > 
> > > On Wed, Oct 4, 2017 at 1:52 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > > > On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote:
> > > > > Steve,
> > > > > 
> > > > > Here is the relevant discussion on disabling the tcp listener on
> > 
> > Ubuntu.
> > 
> > > > > https://www.redhat.com/archives/linux-audit/2012-> > 
> > September/msg00027.html
> > 
> > > > > I do not know what exactly caused change - but now I think it should
> > 
> > be
> > 
> > > > > enabled in distributions.
> > > > > 
> > > > > Please let me know.
> > > > > 
> > > > > Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from
> > > > 
> > > > source
> > > > 
> > > > > now. Still audispd is not started now - what is the way / sequence
> > > > > to
> > > > 
> > > > start
> > > > 
> > > > > auditd and audispd - if you can point me to some reference or a
> > 
> > startup
> > 
> > > > > script will help.
> > > > 
> > > > Since you installed in a non-standard location, you probably need to
> > > > adjust
> > > > paths in the config files.
> > > > 
> > > > What I would recommend is not to build and install by hand, but to use
> > > > their
> > > > package manager to build a new package with listening enabled. The
> > > > ./configure
> > > > script takes a --disable-listener parameter. So, its probably as
> > 
> > simple as
> > 
> > > > deleting that in the source package and rebuilding.
> > > > 
> > > > That said, I have no idea how to build a package on Debian or Ubuntu.
> > > > 
> > > > -Steve